Fortwährende Virusmeldungen auf Server in C:\Windows\Temp?

#1 Hallo zusammen,

ich habe seit einiger Zeit offensichtlich Probleme mit Viren auf meinem Server. Deswegen wäre ich für eure Hilfe sehr dankbar.

Zunächst mal handelt es sich um ein Windows Server 2003. Somit wäre eine Neuinstallation eine denkbar schlechte Option. Als Viren-Scanner nutze ich "F-Prot Anti Virus for Windows".

Seit einigen Wochen ist in der Ereignisanzeige, im Punkt Anwendung, folgendes zu lesen:


Typ Datum Uhrzeit Quelle Kategorie Ereignis Benutzer Computer
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:23 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:46:22 F-PROT Antivirus Scanner 4096
Informationen 20.01.2009 21:46:21 F-PROT Antivirus Scanner 4096
Informationen 20.01.2009 21:46:21 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:45:16 F-PROT Antivirus Scanner 4096
Informationen 20.01.2009 21:45:14 F-PROT Antivirus Scanner 4096
Informationen 20.01.2009 21:45:14 F-PROT Antivirus Scanner 4096
Informationen 20.01.2009 21:42:44 MSSQL$MICROSOFT##SSEE (2) 833 Nicht zutreffend
Warnung 20.01.2009 21:41:54 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:01 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:01 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:01 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:01 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:40:00 F-PROT Antivirus Scanner 4096
Warnung 20.01.2009 21:39:59 F-PROT Antivirus Scanner 4096


Die Zeiten variieren. Jedoch treten die Meldungen mindestens zweimal am Tag (immer in oben angezeigter Anzahl) auf.

Dahinter verbigt sich dann:

Found file, C:\WINDOWS\TEMP\FPQ37.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ37.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ36.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ36.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ35.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ35.tmp->(FSG), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ2A.tmp->Client/SubSeven.exe, infected with SubSeven.backdoor.v2_0
Found file, C:\WINDOWS\TEMP\FPQ2A.tmp->Server/SubSeven v2.0.exe->(UPX), infected with W32/SubSeven.E
Found file, C:\WINDOWS\TEMP\FPQ29.tmp->EditServer/EditServer.exe->(Aspack), infected with SubSeven.backdoor.v19
Found file, C:\WINDOWS\TEMP\FPQ29.tmp->Server/SubSeven v1.9.exe->(Aspack), infected with W32/Threat-Backdoor-Silly-based!Maximus

Und noch ein paar andere so Späße (falls von Belang poste ich noch alle anderen).
Jedoch ist C:\Windows\Temp immer leer.

Hier das Logfile von HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:15, on 20.01.2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Programme\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Programme\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WebTemp] "C:\Programme\WebTemp\WebTemp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://files.f-prot.com
O15 - ESC Trusted Zone: http://www.f-prot.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.3.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *------*
O17 - HKLM\Software\..\Telephony: DomainName = *------*
O17 - HKLM\System\CCS\Services\Tcpip\..\{326CF43B-DFB0-40AE-9893-9B6BEED1C258}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *------*
O17 - HKLM\System\CS1\Services\Tcpip\..\{326CF43B-DFB0-40AE-9893-9B6BEED1C258}: NameServer = 127.0.0.1
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Programme\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Programme\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

--
End of file - 4391 bytes


Es ist mir absolut unerklärlich wie sich dieser Rechner infizieren kann.
Als Server macht er folgendes:
Fileserver, DNS, DHCP, WSUS, Active Directory
Auf dem Server werden kaum Dateien ausgeführt. Eigentlich nur Programme installiert etc. (nur theoretisch vertrauenswürdiges wie z.B. SpeedFan, CDBurnerXP, TotalCommander, etc.). Auch wird von diesem Rechner selbstverständlich nicht im Internet gesurft. Selbst wenn ein Schädling auf einem Netzlaufwerk liegt dass der Server hostet, muss der Code auf dem Server doch erstmal ausgeführt werden. Alleine vom da rum liegen infiziert die Datei/der Virus doch keinen Rechner.

Ich wäre sehr dankbar für eure Hilfe. Möchte meinen Server virenfrei haben.

Vielen Dank im Voraus.

Nachtrag:
Übrigens findet das Anti-Viren Programm bei einem vollständigen Viren-Scan des Rechners, auch im Abgesicherten Modus, nichts.

Gruß
plate

#2 Was fuer eine Aktion fuehrt F-prot aus, wenn es die Funde meldet? Loescht es sie, oder schiebt sie die Datei in Quarantaene?

Ich denke/hoffe mal, das Sysinterneals Filemon auch unter einem Server Betriebsystem arbeitet. Du kannst den "Dateifluss" zumindest kurzzeitig ueberwachen.

Wieviel Clients nutzen den Server?
__________
MfG Ralf
SEO-Spam Hunter

#3 Hallo raman,

danke für die Antwort und sorry für die verspätete Rückmeldung.

F-Prot löscht die Funde in der Regel.
Im Moment wird der Server nur von 2-3 Clients benutzt.

Wie soll ich mit Filemon vorgehen?

Danke schonmal.

Gruß
plate

#4 Filemon starten, schauen und filtern! Schau es dir an, man hat schnell raus, wie man es fuer seine Beduerfnisse anpassen muss...
__________
MfG Ralf
SEO-Spam Hunter

#5 Hallo,

ich habe Filemon jetzt mal einen ganzen Tag mitlaufen lassen um die Zeit an der die Viren auftreten zu erwischen.

Das Ergeignis-Log zeigt folgendes:

Warnung 18.03.2009 21:04:33 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:04 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:04 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:04 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:04 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:04 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:03 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:02 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:02 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:02 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 20:45:02 F-PROT Antivirus Scanner 4096 SYSTEM

Der Filemon Log sagt hierzu folgendes:

1109034 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 982908 Length: 4096
1109035 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 987376 Length: 4096
1109036 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 987376 Length: 4096
1109037 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 987004 Length: 4096
1109038 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 987004 Length: 4096
1109039 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 991472 Length: 4096
1109040 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 991472 Length: 4096
1109041 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 991100 Length: 4096
1109042 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 991100 Length: 4096
1109043 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 995568 Length: 4096
1109044 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 995568 Length: 4096
1109045 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 995196 Length: 4096
1109046 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 995196 Length: 4096
1109047 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 999664 Length: 4096
1109048 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 999664 Length: 4096
1109049 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 999292 Length: 4096
1109050 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 999292 Length: 4096
1109051 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1003760 Length: 4096
1109052 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1003760 Length: 4096
1109053 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1003388 Length: 4096
1109054 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1003388 Length: 4096
1109055 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1007856 Length: 4096
1109056 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1007856 Length: 4096
1109057 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1007484 Length: 4096
1109058 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1007484 Length: 4096
1109059 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1011952 Length: 4096
1109060 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1011952 Length: 4096
1109061 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1011580 Length: 4096
1109062 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1011580 Length: 4096
1109063 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1016048 Length: 4096
1109064 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1016048 Length: 4096
1109065 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1015676 Length: 4096
1109066 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1015676 Length: 4096
1109067 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1020144 Length: 4096
1109068 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1020144 Length: 4096
1109069 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1019772 Length: 4096
1109070 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1019772 Length: 4096
1109071 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1024240 Length: 4096
1109072 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1024240 Length: 4096
1109073 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1023868 Length: 4096
1109074 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1023868 Length: 4096
1109075 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1028336 Length: 4096
1109076 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1028336 Length: 4096
1109077 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1027964 Length: 4096
1109078 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1027964 Length: 4096
1109079 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1032432 Length: 4096
1109080 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1032432 Length: 4096
1109081 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1032060 Length: 4096
1109082 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1032060 Length: 4096
1109083 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Read: Offset: 1036528 Length: 38
1109084 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS Offset: 1036528 Length: 38
1109085 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Write: Offset: 1036156 Length: 38
1109086 20:45:03 FPAVServer.exe:1352 FASTIO_WRITE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1036156 Length: 38
1109087 20:45:03 FPAVServer.exe:1352 IRP_MJ_CREATE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Options: Open Access: 00100100
1109088 20:45:03 FPAVServer.exe:1352 IRP_MJ_SET_INFORMATION C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS FileBasicInformation
1109089 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLEANUP C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS
1109090 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLOSE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS
1109091 20:45:03 FPAVServer.exe:1352 IRP_MJ_SET_INFORMATION C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS FileBasicInformation
1109092 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLEANUP C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS
1109093 20:45:03 ntfrs.exe:1608 FSCTL_READ_USN_JOURNAL C: SUCCESS
1109094 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLEANUP C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq\FPC2C.tmp SUCCESS
1109095 20:45:03 FPAVServer.exe:1352 FASTIO_QUERY_OPEN C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software SUCCESS Attributes: D
1109096 20:45:03 FPAVServer.exe:1352 FASTIO_QUERY_OPEN C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows SUCCESS Attributes: D
1109097 20:45:03 FPAVServer.exe:1352 IRP_MJ_CREATE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\exclusions.xml SUCCESS Options: OverwriteIf Access: 00120196
1109098 20:45:03 FPAVServer.exe:1352 IRP_MJ_WRITE C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\exclusions.xml SUCCESS Offset: 0 Length: 243
1109099 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLEANUP C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\exclusions.xml SUCCESS
1109100 20:45:03 FPAVServer.exe:1352 IRP_MJ_CLOSE C: SUCCESS
1109101 20:45:03 ntfrs.exe:1608 FSCTL_READ_USN_JOURNAL C: SUCCESS


1111396 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 968309 Length: 1024
1111397 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 968309 Length: 1024
1111398 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 969333 Length: 1024
1111399 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 969333 Length: 1024
1111400 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 970357 Length: 1024
1111401 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 970357 Length: 1024
1111402 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 971381 Length: 1024
1111403 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 971381 Length: 1024
1111404 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 972405 Length: 1024
1111405 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 972405 Length: 1024
1111406 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 973429 Length: 1024
1111407 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 973429 Length: 1024
1111408 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 974453 Length: 1024
1111409 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 974453 Length: 1024
1111410 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 975477 Length: 1024
1111411 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 975477 Length: 1024
1111412 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 976501 Length: 1024
1111413 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 976501 Length: 1024
1111414 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 977525 Length: 1024
1111415 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 977525 Length: 1024
1111416 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 978549 Length: 1024
1111417 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 978549 Length: 1024
1111418 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 979573 Length: 1024
1111419 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 979573 Length: 1024
1111420 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 980597 Length: 1024
1111421 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 980597 Length: 1024
1111422 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 981621 Length: 1024
1111423 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 981621 Length: 1024
1111424 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 982645 Length: 1024
1111425 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 982645 Length: 1024
1111426 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 983669 Length: 1024
1111427 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 983669 Length: 1024
1111428 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 984693 Length: 1024
1111429 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 984693 Length: 1024
1111430 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 985717 Length: 1024
1111431 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 985717 Length: 1024
1111432 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 986741 Length: 1024
1111433 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 986741 Length: 1024
1111434 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 987765 Length: 1024
1111435 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 987765 Length: 1024
1111436 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 988789 Length: 1024
1111437 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 988789 Length: 1024
1111438 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 989813 Length: 1024
1111439 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 989813 Length: 1024
1111440 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 990837 Length: 1024
1111441 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 990837 Length: 1024
1111442 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 991861 Length: 1024
1111443 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 991861 Length: 1024
1111444 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 992885 Length: 1024
1111445 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 992885 Length: 1024
1111446 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 993909 Length: 1024
1111447 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 993909 Length: 1024
1111448 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 994933 Length: 1024
1111449 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 994933 Length: 1024
1111450 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 995957 Length: 1024
1111451 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 995957 Length: 1024
1111452 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 996981 Length: 1024
1111453 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 996981 Length: 1024
1111454 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 998005 Length: 1024
1111455 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 998005 Length: 1024
1111456 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 999029 Length: 1024
1111457 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 999029 Length: 1024
1111458 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 1000053 Length: 1024
1111459 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1000053 Length: 1024
1111460 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 1001077 Length: 1024
1111461 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1001077 Length: 1024
1111462 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 1002101 Length: 1024
1111463 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1002101 Length: 1024
1111464 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 1003125 Length: 1024
1111465 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1003125 Length: 1024
1111466 20:45:03 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Read: Offset: 1004149 Length: 1024
1111467 20:45:03 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ76.tmp SUCCESS Offset: 1004149 Length: 1024

So geht das die ganze Zeit. Zu jeder .tmp-Datei sind diese Einträge zu finden. Insgesamt sind in Filemon weit mehr als 200.000 Datensätze die so aussehen. Ich kann damit nicht wirklich was anfangen.

Zweite Mal am Tag:

Warnung 18.03.2009 21:37:22 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:22 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:22 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:22 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:21 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:20 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:20 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:19 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:19 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:19 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:19 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:18 F-PROT Antivirus Scanner 4096 SYSTEM
Warnung 18.03.2009 21:37:18 F-PROT Antivirus Scanner 4096 SYSTEM

Hier das Filemon Log:

3382397 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253021898 Length: 1024
3382398 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 416296960 Length: 4096
3382399 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253022922 Length: 1024
3382400 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253022922 Length: 1024
3382401 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253023946 Length: 1024
3382402 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253023946 Length: 1024
3382403 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253024970 Length: 1024
3382404 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253024970 Length: 1024
3382405 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253025994 Length: 1024
3382406 21:36:16 FPAVServer.exe:1352 IRP_MJ_READ* C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253026304 Length: 4096
3382407 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 416305152 Length: 4096
3382408 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253025994 Length: 1024
3382409 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253027018 Length: 1024
3382410 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253027018 Length: 1024
3382411 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253028042 Length: 1024
3382412 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253028042 Length: 1024
3382413 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253029066 Length: 1024
3382414 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253029066 Length: 1024
3382415 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253030090 Length: 1024
3382416 21:36:16 FPAVServer.exe:1352 IRP_MJ_READ* C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253030400 Length: 4096
3382417 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 416309248 Length: 4096
3382418 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253030090 Length: 1024
3382419 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 416317440 Length: 4096
3382420 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253031114 Length: 1024
3382421 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253031114 Length: 1024
3382422 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253032138 Length: 1024
3382423 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253032138 Length: 1024
3382424 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253033162 Length: 1024
3382425 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253033162 Length: 1024
3382426 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253034186 Length: 1024
3382427 21:36:16 FPAVServer.exe:1352 IRP_MJ_READ* C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253034496 Length: 4096
3382428 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 416321536 Length: 4096
3382429 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253034186 Length: 1024
3382430 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253035210 Length: 1024
3382431 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 347582464 Length: 4096
3382432 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253035210 Length: 1024
3382433 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253036234 Length: 1024
3382434 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253036234 Length: 1024
3382435 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253037258 Length: 1024
3382436 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253037258 Length: 1024
3382437 21:36:16 FPAVServer.exe:1352 FASTIO_CHECK_IF_POSSIBLE C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Read: Offset: 253038282 Length: 1024
3382438 21:36:16 FPAVServer.exe:1352 IRP_MJ_READ* C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253038592 Length: 4096
3382439 21:36:16 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys Offset: 347590656 Length: 4096
3382440 21:36:16 FPAVServer.exe:1352 FASTIO_READ C:\WINDOWS\TEMP\FPQ79.tmp SUCCESS Offset: 253038282 Length: 1024
3968491 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643678208 Length: 4096
3968492 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643670016 Length: 4096
3968493 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643661824 Length: 4096
3968494 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643653632 Length: 4096
3968495 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643645440 Length: 4096
3968496 21:39:38 Filemon.exe:4408 IRP_MJ_READ* C:\pagefile.sys SUCCESS Offset: 643637248 Length: 4096

Hier ist merkwürdigerweise um 21:37 gar nichts protokolliert. Ich werde daraus nicht so richtig schlau.

Hoffe ihr könnt mir dazu weiterhelfen.

Vielen Dank im Voraus.

Gruß

plate